Security and privacy at Scribe

While your teams use Scribe to document and share processes, we want you to know your data is 100% protected. Scribe is not just easy and fast — it’s secure.

97% of the Fortune 100 trust Scribe

Enterprise-grade security

In addition to an industry-leading security program, our product has numerous built-in security features to ensure Scribe is used per your organization’s security requirements.

Admin-enforced redaction

For organizations concerned with PII and PHI, admins can configure automatic redaction for specific categories of sensitive data. This data will be automatically blurred from every user’s screenshots and cannot be overridden.

Automatic redaction

When creating a Scribe for a sensitive process, a user can configure categories of sensitive data to be automatically redacted out of all screenshots, ensuring the data stays out of your guide and off our servers.

Manual redaction

Users who need to blur sensitive data from existing screenshots can use the manual redaction tool. Once blurred, the screenshot cannot be unblurred without the right permissions.

Other secure features
Authenticated viewers
Role-based access control
Multi-team governance
Custom permissions
SSO
SCIM provisioning and deprovisioning
Domain control
Activity audit log
IP whitelisting

Compliance

Scribe adheres to global privacy laws and security standards with measures in place to help you meet your compliance obligations. You can access our compliance reports in our Trust Center.

SOC 2
(Type 2)

Scribe meets security trust services criteria.

US State Privacy Laws

Scribe complies with relevant US state privacy laws.

HIPAA

Scribe offers features to support HIPAA compliance.

FERPA

Scribe offers features to support FERPA compliance.

GDPR

Scribe complies with data protection and data subject rights for EU residents.

AI security

Scribe AI

Although our core functionality of automatically creating step-by-step guides doesn't use AI, we do offer supporting features powered by third-party AI services. Enterprise customers can opt out of AI features.

AI-powered features
Scribe titles
Scribe descriptions
Page generation
Text-to-speech
Speech-to-text
Your privacy is our priority

Scribe partners with 3rd party AI providers to provide the fastest, easiest documentation experience. Your data security is our top priority, and we ensure that these partners adhere to the same high standards for protecting your intellectual property.

Protecting your data

We do not allow our AI service providers to use your data to train their models. Our AI providers delete any Scribe user data it has processed for the purpose of providing services to you within 30 days. Providers never receive the images in your Scribes.

Rigorous security controls

Our service providers each have an executed data processing agreement with Scribe that binds the vendor to the same or more rigorous security controls that Scribe implements, including data encryption, backups, and retention measures.

Data protection

For more information on our privacy standards, see our Privacy Policy.

Data at rest

We encrypt all data at rest using AES-256 encryption, ensuring your information is securely stored and protected from unauthorized access.

Data in transit

All data sent to or from our infrastructure is encrypted in transit using industry-standard Transport Layer Security (TLS) 1.2+, keeping your information safe while it's being transmitted. You can see our SSLLabs report here.

Secret management

Access to encryption keys is strictly controlled and limited to authorized users with a business need, ensuring that your data remains confidential and secure. We leverage a key management vault with key rotation to protect and secure keys.

Intrusion detection and prevention

We use advanced intrusion detection and prevention systems to monitor and protect our environment, quickly identifying and addressing potential threats to keep your data safe. These systems scan for anomalistic or suspicious activity and page alerts to our 24x7 on-call security engineer.

Product security

Protection and privacy

We collect two types of user data.

User content

When a user is signed into the Scribe extension and app, we collect IP address, browser type, machine type, OS type, city-level geolocation, and user ID. This information is shared with subprocessors for troubleshooting, error reporting, product improvement, and user analytics. This data is securely hashed, aggregated, and encrypted by our subprocessors.

User session data

When a user is signed in to the Scribe extension and application, we collect IP address, browser type, machine type, operating system type, city-level geolocation, and user ID. This data is shared with our subprocessors to support troubleshooting, error reporting, product enhancement, and user analytics.

Penetration testing

We conduct regular penetration testing to identify and address potential security vulnerabilities, keeping our systems robust against external threats.

Vulnerability scanning

Our infrastructure undergoes continuous vulnerability scanning at least monthly alongside continuous automated monitoring to detect and resolve weaknesses, maintaining a secure environment for your data.

Data encryption

All data is encrypted both in transit and at rest using industry-standard AES-256 and TLS 1.2+ protocols, ensuring comprehensive protection of your information.

Organizational security

Asset inventory maintained

We keep a detailed inventory of all our production system assets to ensure everything is tracked and managed efficiently, helping us maintain a secure and organized environment. The inventory tracks the status of annual security reviews for assets supporting service delivery.

Employee background checks performed

To ensure a secure workplace, we conduct thorough background checks on all new employees and contractors, including criminal and educational history.

Information security training

Our employees receive ongoing training in information security at least annually, keeping everyone updated on best practices and the latest security protocols to protect your data.

Endpoint management


We use advanced endpoint monitoring tools to monitor and secure all devices connected to our network, ensuring they meet our security standards and protecting against potential threats.

Offboarding process formalized

Our offboarding process ensures that when an employee leaves, their access to our systems is promptly and securely revoked, protecting your data and maintaining our security standards.

Infrastructure security

Overview

Scribe’s infrastructure is hosted in SOC 2 Type II and ISO 27001 compliant data centers. Scribe has backup data center regions with failover and restore capabilities to ensure high availability.

Least permissions access control

We enforce least permissions access control, granting employees the minimal access necessary for their roles. We continuously monitor these permissions to protect your data.

Segregated production environment

Our development, staging, and production environments are fully segregated to prevent unauthorized access and ensure the integrity of our live systems.

Network and system pardoning

We apply rigorous network and system hardening practices, including disabling unnecessary services, changing defaults, and applying security patches, to reduce vulnerabilities and bolster defenses.

Web application firewall

Our web application firewall (WAF) shields against common threats like SQL injection and cross-site scripting, providing an additional layer of protection for our applications.

Reliability & availability

Uptime and availability
Uptime commitment

We are committed to providing the best service and availability. Learn more about our service status here.

Global support

Our global Support team works diligently to address any issues quickly. Enterprise customers receive priority support by a dedicated team.

Business continuity
Near-instantaneous backups

We back up all our critical assets and regularly run backup restores to guarantee fast recovery in case of disaster. Your data is backed up within minutes of transmission to our service. All of our backups are encrypted for data protection and are subject to heightened access control.

Geographically redundant backups

We have redundant data center zones in place with failover capabilities to ensure availability of services. Scribe’s RTO is 8 hours and RPO is 24 hours, providing quick restoration of services in the event of an outage and minimal to no data loss. We test our restore capabilities quarterly and consistently exceed our RTO.

Failover and recovery procedures

We have robust failover and recovery procedures to quickly restore services and minimize downtime, ensuring your business continues to operate smoothly.